[Sip-security] Re: [Sipping] Re: SIP authentication problem when using RES in Digest-AKA
"Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com> Fri, 15 March 2002 13:21 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA28004 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 08:21:11 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id IAA20211 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 08:21:13 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id IAA19782; Fri, 15 Mar 2002 08:18:28 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id IAA19744 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 08:18:26 -0500 (EST)
Received: from mgw-x2.nokia.com (mgw-x2.nokia.com [131.228.20.22]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA27968; Fri, 15 Mar 2002 08:18:21 -0500 (EST)
Received: from esvir04nok.ntc.nokia.com (esvir04nokt.ntc.nokia.com [172.21.143.36]) by mgw-x2.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id g2FDIXZ08534; Fri, 15 Mar 2002 15:18:33 +0200 (EET)
Received: from esebh003.NOE.Nokia.com (unverified) by esvir04nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T59a6fa2a65ac158f24077@esvir04nok.ntc.nokia.com>; Fri, 15 Mar 2002 15:18:22 +0200
Received: from nokia.com ([172.21.149.105]) by esebh003.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.3779); Fri, 15 Mar 2002 15:18:21 +0200
Message-ID: <3C91F48F.9020207@nokia.com>
Date: Fri, 15 Mar 2002 15:18:07 +0200
From: "Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020212
X-Accept-Language: en-us
MIME-Version: 1.0
To: ext Jari Arkko <Jari.Arkko@lmf.ericsson.se>
CC: Greg Rose <ggr@qualcomm.com>, Sanjoy Sen <sanjoy@nortelnetworks.com>, 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, jari.arkko@ericsson.com, vesa.torvinen@lmf.ericsson.se, James Undery <jundery@ubiquity.net>
References: <4.3.1.2.20020315124047.05271fd8@127.0.0.1> <3C91C1C6.E3464A36@lmf.ericsson.se>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Mar 2002 13:18:21.0792 (UTC) FILETIME=[E13DA600:01C1CC23]
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: [Sipping] Re: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit
Hi, On 03/15/2002 11:41 AM, ext Jari Arkko wrote: [snip] > Let's study this by considering two cases: > > (a) AKA is run at the beginning and if any further > communications with the home network take place, > the RES is cached and used as a password. This > allows the attack described by Greg. But as > Aki explained, it seems that we have forbidden > this in Draft-niemi. I would further divide this into two subcases: (a1) The actual Digest credentials are cached, and the UA attempts to use them in further communications with the same server. If the server is not happy with then, it can rechallenge. (a2) The RES is cached, and used again as part of the stale nonce scheme when calculating Digest credentials. From these two, I'd say only the second case seems to be forbidden in draft-niemi. Regards, Aki > (b) AKA has to be run every time, and a RES can't be > reused. Is there a problem left then? > > Jari > > > _______________________________________________ > Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping > This list is for NEW development of the application of SIP > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sip@ietf.org for new developments of core SIP > _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko